Search This Blog

Subscribe To

Monday, May 31, 2010

Installing SimpleCaptcha is no different than installing most other libraries for a J2EE container: a jar is deployed to WEB-INF/lib and web.xml is updated. These steps are described in detail below.

1. Download SimpleCaptcha
2. Copy the jar file to your WEB-INF/lib directory
3. Add a mapping to web.xml. There are three servlets provided out of the box: StickyCaptchaServlet, SimpleCaptchaServlet, and ChineseCaptchaServlet. All generate CAPTCHA image/answer pairs, but StickyCaptchaServlet and ChineseCaptchaServlet are “sticky” to the user’s session: page reloads will render the same CAPTCHA instead of generating a new one. An example mapping for StickyCaptchaServlet:

The width and height parameters are optional; if unprovided the image will default to 200×50.

4. Restart your webserver.
5. Browse to the location given by the url-pattern defined in web.xml, e.g., http://localhost:8080/stickyImg. If everything has been set up correctly you should see a CAPTCHA image.
6. Now create a JSP called captcha.jsp. Add the following code inside the <body> element:

Friday, May 7, 2010

A common threat web developers face is a password-guessing attack known as a brute force attack. A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works. If your web site requires user authentication, you are a good target for a brute-force attack.

An attacker can always discover a password through a brute-force attack, but the downside is that it could take years to find it. Depending on the password's length and complexity, there could be trillions of possible combination. To speed things up a bit, a brute-force attack could start with dictionary words or slightly modified dictionary words because most people will use those rather than a completely random password. These attacks are called dictionary attacks or hybrid brute-force attacks. Brute-force attacks put user accounts at risk and flood your site with unnecessary traffic.

Hackers launch brute-force attacks using widely available tools that utilize wordlists and smart rulesets to intelligently and automatically guess user passwords. Although such attacks are easy to detect, they are not so easy to prevent. For example, many HTTP brute-force tools can relay requests through a list of open proxy servers. Since each request appears to come from a different IP address, you cannot block these attacks simply by blocking the IP address. To further complicate things, some tools try a different username and password on each attempt, so you cannot lock out a single account for failed password attempts.

Blocking Mechanism

* For advanced users who want to protect their accounts from attack, give them the option to allow login only from certain IP addresses.
* Assign unique login URLs to blocks of users so that not all users can access the site from the same URL.
* Use a CAPTCHA to prevent automated attacks (see the sidebar "Using CAPTCHAs").
* Instead of completely locking out an account, place it in a lockdown mode with limited capabilities.

Here are conditions that could indicate a brute-force attack or other account abuse:

* Many failed logins from the same IP address
* Logins with multiple usernames from the same IP address
* Logins for a single account coming from many different IP addresses
* Excessive usage and bandwidth consumption from a single use
* Failed login attempts from alphabetically sequential usernames or passwords
* Logins with a referring URL of someone's mail or IRC client
* Referring URLs that contain the username and password in the format http://user:password@www.example.com/login.htm
* If protecting an adult Web site, referring URLs of known password-sharing sites
* Logins with suspicious passwords hackers commonly use, such as ownsyou (ownzyou), washere (wazhere), zealots, hacksyou, and the like (see www.securibox.net/phpBB2/viewtopic.php?t=8563)